new DNS forwarder vulnerability
Mark Andrews
marka at isc.org
Wed Apr 2 20:28:58 UTC 2014
In message <C7E435C6-344F-49CD-9152-7A9EF2FA6662 at puck.nether.net>, Jared Mauch
writes:
>
> On Apr 2, 2014, at 8:38 AM, Mark Allman <mallman at icir.org> wrote:
>
> >
> > [catching up]
> >
> >> That's a good question, but I know that during the ongoing survey
> >> within the Open Resolver Project [http://openresolverproject.org/],
> >> Jared found thousands of CPE devices which responded as resolvers.
> >
> > Not thousands, *tens of millions*.
> >
> > Our estimate from mid-2013 was 32M such devices (detailed in an IMC
> > paper last year; http://www.icir.org/mallman/pubs/SCRA13/). And, that
> > roughly agrees with both the openresolverproject.org numbers and another
> > (not public) study I know of. And, as if that isn't bad enough
> > ... there is a 2010 IMC paper that puts the number at 15M. I.e., the
> > instances of brokenness are getting worse---doubling in 3 years! UGH.
>
> One observation: The OpenResolverProject collects responses that come from
> ports that the query was not sent to (ie: device responds from UDP/12345
> not
> from UDP/53, which obviously is broken and doesn't "work", but they
> actually
> return DNS payload which can be used for abuse).
>
> Some good news though:
>
> http://openresolverproject.org/breakdown-graph1.cgi
I see axes, legend but no data points. If I hover over various spots
on the graph I see data values pop up.
> Since the start of 2014 there seem to be new CPE devices out there that
> are resolving this issue. The linear nature of the line in the decrease
> doesn't seem to be something like "ISPs" started blocking udp/53 to
> customers, which would appear more like a step function.
>
> I'm aware of some other studies ongoing to fingerprint CPE and their
> behaviors/aggregated resolver dependencies. I expect to see some of that
> data presented at the upcoming DNS-OARC meeting in Warsaw.
>
> Getting everyone to update their firmware on devices would go a long way
> as well. Some vendors have no software QA on this front so add/remove
> the response on the WAN interface as their releases march forward.
>
> - Jared
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list